Data Act Deep Dive: Part 5 – B2C Notice And Transparency Requirements

In Part 5, the final part of our 'Deep Dive' series, we explore B2C transparency and notice requirements under the Act.

In Part 4 of our 'Deep Dive' series on the EU Data Act (Act), we explored unfair terms in a B2B context. The Act marks the first time these protections have been extended to B2B contracts.

Overview: Transparency & (Prospective) Data Holders

The Act requires companies to provide details of how certain data is generated, stored, and used before a contract is signed. The purpose of providing such transparency information is to ensure that users (as consumers) have greater control over the use of their data and to enhance easy access to their data (Recital 24 of the Act).

The obligation to provide transparency information rests with the prospective data holder under the Act. Where the requisite information changes from the originally specified purpose during the lifetime of the connected product or the contract period for the related service, including where the purpose for which those data are to be used changes, that information should also be provided to the user (Recital 24 of the Act).

The Act provides that the pre-contractual transparency obligation can be met by making the required information available on a website (similar to a GDPR website privacy notice) that is accessible to users by a web link or QR code at the pre-contractual stage. This information must remain available to users for future reference (Recital 24 of the Act).

B2C Pre-Contractual Transparency Requirements

1. Connected Products

Article 3(2) of the Act sets out pre-contractual information obligations for providers of connected products. Before concluding a contract with consumers for the purchase of a connected product, the provider of that product must provide the consumer with at least the following information in a clear and comprehensible manner:

• the type, format and estimated volume of product data which the connected product is capable of generating;
• whether the connected product can generate data continuously and in real-time;
• whether the connected product can store data on-device or on a remote server, including the intended duration of retention; and
• how users may access, retrieve or, where relevant, erase data, including the technical means to do so, as well as their terms of use and quality of service.

2. Related Services

Article 3(3) of the Act sets out pre-contractual information obligations for the "prospective data holder" of a related service. The provider of a related service must provide at least the following information in a clear and comprehensible manner:

• the nature, estimated volume, and collection frequency of product data expected to be obtained and, where relevant, the arrangements for users to access or retrieve such data, including storage methods and retention periods;
• the nature, estimated volume, and collection frequency of related service data to be generated and, where relevant, the arrangements for users to access or retrieve such data, including storage methods and retention periods;
• whether the prospective data holder expects to use 'readily available' data itself and/or share it with third parties, including the purposes of such use;
• the identity and contact details of the prospective data holder (e.g. name and address) and, where applicable, the other data processing parties;
• the means of communication to contact the prospective data holder "quickly" and "efficiently";
• how the user can request data to be shared with a third party and, where applicable, end the data sharing;
• information about a user's right to lodge a complaint with a competent authority;
• whether the data includes trade secrets and who holds them; and
• the duration of the contract between the user and the prospective data holder, in addition to the arrangement for terminating the contract.

Overlap with the GDPR

The Act makes several references to, and applies in some instances, in addition to the GDPR, where personal data is processed. There is an overlap and similarity in the obligation to provide transparency information and obligations under the GDPR, including:

• the point at which such information must be provided to users (e.g. in the pre-contractual stage, which is before data collection and/or generation);
• the ongoing requirement to ensure transparency notices are "living" documents, which contain clear, comprehensible information for users and are continually updated where necessary;
• the ongoing requirement to ensure that transparency information is readily accessible to individuals;
• the content of such notices (e.g. the details of the data holder, details about retention, data sharing, data rights (including the right to file a complaint with the competent authority, etc.).

Conclusion

The Act's transparency requirements for B2C contracts ensure that consumers understand how their data is accessed, stored, used, and shared. These rules have been in effect since 12 September 2025, and organisations must ensure that these pre-contractual information obligations are met to ensure compliance.

The Act sets a higher standard for digital transparency and represents a significant shift in how consumers engage with digital products and services. It also marks new obligations for data holders who must now implement and maintain updated or standalone data-related information notices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.